Security and Apache: An Essential Primer - page 2

Maxwell's Demon and Hat Colour

There are two basic types of access control: those that verify who you say you
are, and those that verify who you really are. The three basic
verification methods are to check

what you have,

what you know, or

what you are

or even some combination of these. In common noncomputer usage, an example
of the "what you have" method would be having the key to a padlock;
you can get in if you do. "What you know" is the method used to keep
other people out of your account; if they don't know your password,
tough luck for them. And "what you are" is coming into prominent play
in criminal investigations, as DNA patterns are admitted as evidence.

The best security systems use a combination. Your bank's teller machines,
for instance, use a combination of the first two methods: you need to
have the ATM card, and know the PIN associated with the card (or
the account).

But what's all this noise about discretionary and mandatory,
you ask? Put simply, discretionary control (DAC) mechanisms check the validity
of the credentials given them at the discretion of the user, and mandatory
access controls (MAC) validate aspects that the user cannot control. For
instance, anyone can give you a username and password and you can then log in
with them; which username and password you supply is at your discretion, and
the system can't tell you apart from the real owner. Your DNA is something you
can't change, though, and a control system that only allowed access to
your pattern would never work for anyone else--and you couldn't pretend to be
someone else, either. This makes such a system a mandatory (also called
non-discretionary) access control system.

In Web terms, and Apache terms in particular, discretionary controls are
based on usernames and passwords, and mandatory controls are based on things
like the IP address of the requesting client.

Another way to keep discretionary versus non-discretionary controls straight
is to think about the way failures are handled: if you fail a discretionary
check (such as if you misspell your password), you get another chance--but if
a mandatory check fails, you get a "forbidden" error rather than
"not authorized," and there's no way to say "give me another
chance" without starting from scratch and requesting the page again as
though for the first time. And unless something's changed on the server, even
retrying isn't going to make a difference; you'll still be locked out.

Authentication versus Authorization Authentication is the process of verifying that credentials are correct--that
is, that the username is in the database and the password is correct
for the username. Authorization is the process of checking to see if a
validated client is permitted to access a particular resource. For instance,
Bob may have correctly supplied his username and password, but still not be
able to access Jane's file because she hasn't included him in the authorization
list for it.

In Apache, almost all of the security-related modules actually do both. The
main feature that distinguishes them from each other is their authentication
aspect; mostly, they let you store the valid credential information in one or another
format. The mod_auth module, for instance, looks in
normal text files for the username and password info, and
mod_auth_dbm looks in a DBM database for it. They handle the
authorization side of their task in essentially identical ways, however.

The security modules are passed the information about what authentication
databases to use via directives, such as AuthUserFile or
AuthDBMGroupFile. The resource being protected is determined from
the placement of the directives in the configuration files; in this example:

the resource being protected is "any file named
foo.bar" in the /home/johnson/public_html
directory or anywhere underneath it. Likewise, the identification of which
credentials are authorized to access foo.bar is stated by the
directives--in this case, any user with valid credentials in the
/home/johnson/foo.htpasswd file can access it.

Most Popular LinuxPlanet Stories

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.